Background

Signatures and indicators: what is a good signature ? A good signature depends of the context but the main properties are:

More resilient than rigid (resist evasion and normal changes).

More methodology-based than specific (capture methods or techniques).

More proactive than reactive (identifies new technologies )

Process

Define detection

what. where, when to find.

Assemble a sample set

collected sample set.

generated sample set.

try to enumerate the entire problem set.

Test existing detection/s

Test existing detection capabilities for any free wins.

Adjust priorities of existing applicable existing detections.

Generate data

logs.

binary metadata.

Write detection

start broad and tune after.

Test and tune

Process Walk-through for binaries

It applies the previous process to binaries.Malware binaries changes very often. In this case can’t rely on anti-viruses.

Process Walk-through for regsvr32.exe

It applies the previous process to the regsvr32.exe. It shows that is rather difficult to detect the regsvr32 arguments or process name
because there are multiple possibilities for the parameters for ex: /s or -s /u or -s or /us or -us.

Computer scientists at Lockheed-Martin corporation described a new “intrusion kill chain” framework; see KillChain.

PRE-ATT&CK: Adversarial Tactics, Techniques & Common Knowledge for Left-of-Exploit is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target.

PRE-ATT&CK consists of 15 tactics and 151 techniques.

ATT&CK: Adversarial Tactics, Techniques, and Common Knowledge for Enterprise is an adversary model and framework for describing the actions an adversary may take to compromise and operate within an enterprise network. The model can be used to better characterize and describe post-compromise adversary behavior.

Summary of the adversary behavior:

know when they are coming, use PRE-ATT&CK

see them when they operate on your infrastructure, use ATT&CK.

map their activities, use the “kill chain”.

Don’t jump directly to attacker remediation; If an adversary perceives you as hostile (e.g.: hacking back), they will react differently.

Malware is a constant threat to the Android ecosystem. How to protect from the malware:

have to look to the APK file/s:

statically

or in a sandbox

looking for:

(code) signatures

hashes

permissions reputations

What are the shortcomings of the current detection techniques:

static analysis is hard and it only can reveal a subset of the functionality.

bypass the AV products is easy.

cannot do forensics on realtime.

Idea: look to the application heap because the Android apps make us of objects. But the novelty is that should instrument the code before the execution:

objects exist on the heap so they are accessible.

trace calls and monitor the behavior.

great way to gain insight into applications

The authors presented his own framework called UITKYK. Uitkyk is a framework that allows you to identify Android malware according to the instantiated objects on the heap for a specific Android process.

The framework is also integrates with Frida framework which is a “dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers”.

Here are my quick notes from the BruCON 2018 conference.This first day was called “Retro Day” because it contained the best (as chosen by peoples) previous talks. All the slides of the conference can be found here.

Implementing of selfish behavior using cheap devices

Implement the selfish behavior (this was done by modifying the firmware):

disable Backoff.

reduce AIFSN.

Countermeasures to this problem:

DOMINO defense system detects selfish devices

What if are multiple selfish stations ?
in theory : in collision both frames are lost but in reality due to the “capture effect” in a collision the frame with best signal and lowest
bit-rate is decoded (similar to FM radio).

Continuous jamming

how it works:

instant transmit:disable carrier sense

no interruptions : queue infinite packets

This will
– only first package visible in monitor mode
– other devices are silcenced

What is the impact in practice:
We can jam any device that use the 2.4 and 5 GHz band, not only wifi, but other devices like security cameras.

Selective jammer

Decides based on the header whether the jam the frame
so it should:

detect and decode the header.

abort receiving current frame.

inject dummy packet

The hard part is the first step. This is done by monitoring the (RAM) memory written by the radio chip.

Back in the ’90 the hacker community was looked with suspicion by the software industry because the hackers were finding security problems and the software publishers had no process to handle this findings.

Back in the 90’s the only reference in order to create a secure system was the “Orange book“; but the orange book it’s all about security features, no word about bugs or vulnerabilities.

CERT – internet community had no means to fight against malware that’s why CERT was created. But the hacker community do not participate to CERT anymore because there was no traceability of the issues reported, so the Bugtraq was created.

Hackers created the concept of pen-test and the first (hacking) tools :

crack

satan (first network scanner)

netcat

NFT (first IDS)

The idea of securing the system by trying to break them was initially not very well welcomed by the industry.

In 2000 companies starts to hire hackers.
2002 – Microsoft Trustworthy computing – all the process of this initiative have been influenced by hackers

2003 (modern security era)

pen test became a requirement

companies create bug bounty programs

The idea that the security is an external process that is applied at the end is broken.
The security must be embedded in each part of the SDLC.

Detect malware with no HTTPS decryption

All this logs will be aggregated in order to create ssl aggregations and then generate a ssl-connect-units (each ssl-connect-unit represents a SSL connection). Each ssl-connect-unit have a source IP, destination IP, destination port, protocol and other 40 features (properties) like number of packages, number of bytes, number of different certificates, ratio of established and not established states .

A data set was created from all this ssl-connection-units and machine learning algorithms have been used against this dataset.

(ML) Algorithms used

XGBoost (Extreme Gradient Boosting)

Random forest

Neural network

svm

After using all this ML algorithms the features that have been identified as the most important ones to detect malware traffic:

The idea was that the security industry are doing the same things over and over again, very often as a defender we build very static walls. So the presenter propose to an “active defense”:

Active defense is not about :

hacking back

about one technical solution

revenge

Active defense is about:

have a range of solutions.

All the proposed solutions and demos are part of the advanced defense harbinger distribution which is a Linux distribution based on Ubuntu LTS that it comes with many tools aimed at active defense pre-installed and configured. Some demos of the following components:

The sql injection vulnerability is dead due to the massive use of the ORM frameworks, the same for the XSS injections due to the mvc, templates and default HTML So, as a hacker you must find new vulnerabilities; here are 5 (esoteric) vulnerabilities:

The keynote was quite entertaining mainly because it used references to the Greek and Babylonian mythology but on the other side it was very difficult to really understand the message and the ideas that the presenter tried to promote.
But here some ideas that I was able to catch:

assume compromise

business people do not understand the security goals

perimeter defense; you have to win every time; one single mistake and the perimeter can be breach.

attackers are using the speed; the defenders have never the initiative.

The presenter believes that the security is seen by the casual user/client as a burden. The security peoples should try to understand why the users try to circumvent the security, try to understand how the peoples are working and must try to adapt the security to fit the user needs.

The possible solutions are not from the IT world; try to apply the design thinking. A good design solution should have the following properties: